This guide describes procedures for requesting a certificate that includes custom subject alternative names (SANs) and provides guidance for choosing which procedures should be used.

The use of Secure Sockets Layer/Transport Layer (SSL/TLS) for secure communications is common to many Internet and enterprise server technologies. A valid server authentication certificate is a fundamental requirement of SSL/TLS protocols.

The use of SANs in server authentication certificates enables a single certificate to be bound to multiple names on a single computer; for example, a Web server might be identified by multiple DNS names. Also, multiple computers might host a Web site and each computer can request a certificate with the site's DNS name in the SAN.

Using this guide

This guide describes security best practices for allowing custom SANs in certificates and provides procedures that can be used to request a certificate with a SAN.

For some combinations of client computer operating system and CA, two different procedures can be used: one procedure using the command-line application Certreq.exe and another procedure using either the Certificate Enrollment wizard or the CA Web enrollment pages. The choice is a matter of preference, experience with the applications being used, number of certificates, and the requirements of your organization.

Certreq.exe can be used with any of the listed combinations of client and CA. However, SANs can be specified by using three different methods depending on your client computer operating system version and CA type. Procedures are described for all three methods.

This guide does not describe procedures that use CA Web enrollment pages. Using CA Web enrollment pages and SAN attributes requires EDITF_ATTRIBUTESUBJECTALTNAME2 to be enabled on your CA. Review Security best practices for allowing SANs in certificates before enabling EDITF_ATTRIBUTESUBJECTALTNAME2.

For procedures describing how to use CA Web enrollment pages to add SAN attributes to certificate requests, see article 187306 in the Microsoft Knowledge Base. The procedures are the same for a Web server certificate and a secure LDAP certificate.

If you have a high number of certificates to request, Certreq.exe can be used in a script or batch file to automate the certificate request procedures. Use the procedures and commands described in this guide as examples.

Security best practices for allowing SANs in certificates

The following are security best practices for allowing SANs in certificates:

In general, the use of user-defined SANs can increase the risk of impersonation attacks because it allows a user to specify arbitrary names in a certificate request. Because user input can be abused by persons with malicious intent, precautions should be taken to mitigate the risks associated with the use of user-defined SANs and protect the integrity of your public key infrastructure (PKI).

Certificate requests that contain SANs should be held in a pending state until they can be reviewed by a certificate manager. For information about configuring certificate templates to require certificate manager approval, see Issuance Requirements.

Implement administrative procedures for reviewing pending certificate requests and verifying the requester is authorized to use the requested subject names.

Implement separation of duties and role-based administration to ensure that individuals who can request certificates with SANs cannot also issue them. See Implement Role-Based Administration.

Do not enable EDITF_ATTRIBUTESUBJECTALTNAME2 on an enterprise CA. If this is enabled, user-defined SANs are allowed in every certificate request.

Whenever possible, specify a SAN by using certificate extensions instead of request attributes to avoid enabling EDITF_ATTRIBUTESUBJECTALTNAME2.

If you must enable EDITF_ATTRIBUTESUBJECTALTNAME2, consider adding to your PKI a standalone CA that issues only certificates with SANs.

If you must use SAN attributes because your server that requires a certificate with a SAN is running Windows Server 2003, consider completing certificate enrollment procedures on a computer that is running Windows Server 2008, Windows Vista, or later.

Using the Certificate Enrollment wizard

The Certificate Enrollment wizard can be used to include SANs in a certificate request. The Certificate Enrollment wizard can submit the request to an enterprise CA, or the request can be saved to a file and submitted to a standalone CA in your organization, a public CA, or another CA product.

Understand your CA procedures and requirements for certificate requests. In particular, you should confirm the following before creating a certificate request:

Cryptographic service provider (CSP)

Supported request formats: CMC, PKCS #7, or PKCS #10

The Certificate Enrollment wizard is available beginning with computers running Windows Server 2008 or Windows Vista. The wizard can be used to submit certificate requests to enterprise and standalone CAs running Windows Server 2003 or later.

Procedures are described for using the Certificate Enrollment wizard with an enterprise CA or standalone CA. Use the procedure that is appropriate for your CA type.

You must be a member of the local Administrators group to complete these procedures.

Using the Certificate Enrollment wizard with an enterprise CA

Complete the following procedure to request a certificate with a SAN for a computer running Windows Server 2008 or later. You must use an enterprise CA running Windows Server 2008 or later.

The Web Server certificate template is used as an example in the following procedure. Use the template that is appropriate for your environment. The account used to create the request must have Read and Enroll permissions on the certificate template. The template must be configured to accept user-defined SANs.

To use the Certificate Enrollment wizard with an enterprise CA

Log on to the server as a member of the local Administrators group.

Click Start.

In the Search programs and files box, type mmc.exe, and press ENTER.

On the File menu, click Add/Remove Snap-in.

In the list of available snap-ins, click Certificates, and then click Add.

Click Computer account, and click Next.

Click Local computer, and click Finish.

Click OK.

In the console tree, double-click Certificates (Local Computer), and then double-click Personal.

Right-click Personal, point to All Tasks, and then click Request New Certificate to start the Certificate Enrollment wizard.

Click Next.

Click Next.

Select the Web Server template. Click the warning icon below More information is required to enroll for this certificate. Click here to configure these settings.

Note the warning icon on the Subject tab. This tells you what type of information is required.

Note

Because SSL/TLS does not require a Subject name when a SAN extension is included, the Subject name can be empty. If you are using another protocol, verify the certificate requirements. To use an empty Subject name, skip steps 15 and 16.

In the Subject name area under Type, click Common Name.

In the Subject name area under Value, enter the fully qualified domain name of the server, and then click Add.

In the Alternative name area under Type, click DNS.

In the Alternative name area under Value, enter the fully qualified domain name of the server, and then click Add.

Repeat steps 17 and 18 above for each additional SAN that you require. Click OK when finished.

Note

If you are requesting a certificate for a computer other than your client computer, the private key must be exportable. To specify that the private key is exportable, click the Private Key tab, click the Key Options arrow, and click Make private key exportable. The CA must also be configured to support exportable private keys.

Click Enroll.

After enrollment succeeds, click Finish.

Using the Certificate Enrollment wizard with a standalone CA

Complete the following procedure to create a certificate request with a SAN.

The certificate request is saved to a file that can be submitted to a standalone CA in your organization, a public CA, or another CA product that accepts certificate requests as defined in IETF RFC 4211.

To use the Certificate Enrollment wizard with a standalone CA

In the Certificates snap-in, right-click the Personal folder, point to All Tasks, point to Advanced Operations, and then click Create Custom Request.

This will start the Certificate Enrollment wizard.

Click Next.

Click Proceed without enrollment policy, and then click Next.

In the Template list, click either (No template) CNG key or (No template) Legacy key. (No template) CNG key will ensure that the private key will be generated by the new Cryptography Next Generation key storage provider (KSP) and may not be usable by all applications. To ensure interoperability, click (No template) Legacy key, which will use the CAPI2 cryptographic service provider (CSP).

For Request format, click either PKCS #10 or CMC. PKCS #10 is generally accepted by all CAs. If you will not submit the custom request to a Microsoft standalone CA, check with your CA vendor to determine if the CMC format is supported.

Click Next.

Click the Details arrow, and then click Properties. You will need to configure all the certificate request options so that the issued certificate will be suitable for TLS/SSL.

On the Subject tab:

Note

Because SSL/TLS does not require a Subject name when a SAN extension is included, the Subject name can be empty. If you are using another protocol, verify the certificate requirements. To use an empty Subject name, skip steps 8a and 8b.

1. In the **Subject name** area under **Type**, click **Common Name**.
2. In the **Subject name** area under **Value**, enter the fully qualified domain name of the server, and then click **Add**.
3. In the **Alternative name** area under **Type**, click **DNS**.
4. In the **Alternative name** area under **Value**, enter the fully qualified domain name of the server, and then click **Add**.
5. Repeat steps c and d above for each SAN you want to specify.

On the Extensions tab:

Click the Key usage arrow. In the Available options list, click Digital signature, and then click Add. Click Key encipherment, and then click Add.

Click the Extended Key Usage (application policies) arrow. In the Available options list, click Server Authentication and Client Authentication, and then click Add.

On the Private Key tab:

Click the Cryptographic Service Provider arrow, and verify the following:

Click the Key options arrow. In the Key size list, select a key size. If desired, select the Make private key exportable check box. Do not select either the Allow private key to be archived or Strong private key protection check box.

The specified hash algorithm is used in the request. You must specify a hash algorithm that is compatible with your client computer and CA.

4. Click the **Key permissions** arrow. If the application or service runs as Network Service, grant the Network Service account Read permission. If the application or service that will use this certificate runs as Local System, no permissions changes are required.

Click OK.

Click Next.

Enter a path and file name indicating where the request file will be saved.

Select the Base 64 format.

Click Finish.

Next, submit the certificate request and complete certificate enrollment by using Certreq.exe. See Completing certificate enrollment by using Certreq.exe.

Using Certreq.exe

Certreq.exe is a command-line tool that is used to perform several certificate enrollment operations.

This section includes the following procedures:

Creating a RequestPolicy.inf file

Customizing RequestPolicy.inf for your environment

Generating a SAN extension by using MakeSanExt.vbs

Creating a certificate request by using Certreq.exe

Completing certificate enrollment by using Certreq.exe

Creating a RequestPolicy.inf file

To create a new certificate request, Certreq.exe reads certificate request settings from a text file specified by the user. For example purposes, this guide uses the file name RequestPolicy.inf.

Complete the following procedure to create a certificate request policy settings file named RequestPolicy.inf. After saving the file, edit the settings by completing the procedure Customizing RequestPolicy.inf for your environment.

To create a RequestPolicy.inf file

Click Copy Code at the top of the code section.

Start Notepad.

On the Edit menu, click Paste.

On the File menu, click Save.

Type a path for the file, type the file name RequestPolicy.inf, and click Save.

[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=www01.fabrikam.com" ; Remove to use an empty Subject name.
;Because SSL/TLS does not require a Subject name when a SAN extension is included, the certificate Subject name can be empty.
;If you are using another protocol, verify the certificate requirements.
EncipherOnly = FALSE ; Only for Windows Server 2003 and Windows XP. Remove for all other client operating system versions.
Exportable = FALSE ; TRUE = Private key is exportable
KeyLength = 2048 ; Valid key sizes: 1024, 2048, 4096, 8192, 16384
KeySpec = 1 ; Key Exchange – Required for encryption
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
RequestType = PKCS10 ; or CMC.
[EnhancedKeyUsageExtension]
; If you are using an enterprise CA the EnhancedKeyUsageExtension section can be omitted
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
[Extensions]
; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7
; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.
2.5.29.17 = "{text}"
_continue_ = "dns=www01.fabrikam.com&"
_continue_ = "dn=CN=www01,OU=Web Servers,DC=fabrikam,DC=com&"
_continue_ = "url=http://www.fabrikam.com&"
_continue_ = "ipaddress=172.31.10.134&"
_continue_ = "email=hazem@fabrikam.com&"
_continue_ = "upn=hazem@fabrikam.com&"
_continue_ = "guid=f7c3ac41-b8ce-4fb4-aa58-3d1dc0e36b39&"
; If your client operating system is Windows Server 2003, Windows Server 2003 R2, or Windows XP
; SANs can be included in the Extensions section only by adding Base64-encoded text containing the alternative names in ASN.1 format.
; Use the provided script MakeSanExt.vbs to generate a SAN extension in this format.
2.5.29.17=MCaCEnd3dzAxLmZhYnJpa2FtLmNvbYIQd3d3LmZhYnJpa2FtLmNvbQ==
[RequestAttributes]
; If your client operating system is Windows Server 2003, Windows Server 2003 R2, or Windows XP
; and you are using a standalone CA, SANs can be included in the RequestAttributes
; section by using the following text format.
SAN="dns=www01.fabrikam.com&dns=www.fabrikam.com&ipaddress=172.31.10.130"
; Multiple alternative names must be separated by an ampersand (&).
CertificateTemplate = WebServer ; Modify for your environment by using the LDAP common name of the template.
;Required only for enterprise CAs.

Customizing RequestPolicy.inf for your environment

When using Certreq.exe and a RequestPolicy.inf file, there are three methods that can be used to specify SAN information in a certificate request.

Identify your client operating system in the following table to determine which methods you can use.

Windows Server 2008 R2 or later

Windows Server 2008

Windows Server 2003 R2

Windows Server 2003

Windows 7 or later

Windows Vista

Windows XP

Add a SAN extension in text format to the Extensions section of RequestPolicy.inf.

X

X

X

X

Add a SAN extension in base64-encoded ASN.1 format to the Extensions section of RequestPolicy.inf.

X

X

X

Add a SAN attribute to the RequestAttributes section of RequestPolicy.inf.

X

X

X

X

X

X

X

Warning

Adding a SAN attribute to the RequestAttributes section of RequestPolicy.inf also requires that the CA is configured to accept SAN attributes by enabling EDITF_ATTRIBUTESUBJECTALTNAME2, which can put your PKI at risk for impersonation attacks.
Whenever possible, specify SAN information by using certificate extensions instead of request attributes to avoid enabling EDITF_ATTRIBUTESUBJECTALTNAME2.
Do not enable EDITF_ATTRIBUTESUBJECTALTNAME2 on an enterprise CA.
For more information about risks and mitigations, see Security best practices for allowing SANs in certificates.

After determining which method you will use, complete the following procedure to customize the RequestPolicy.inf file for your environment.

To customize RequestPolicy.inf for your environment

Open the RequestPolicy.inf file with Notepad.

Change the Subject name to match the FQDN of your server.

Note

Because SSL/TLS does not require a Subject name when a SAN extension is included, the Subject name can be empty. If you are using another protocol, verify the certificate requirements.

Add SAN information by completing one of the following steps:

Method 1: Change the text value of the SAN extension. Use the examples in the RequestPolicy.inf file as guidance.

Method 2: Generate base64-encoded SAN information by completing the procedure Generating a SAN extension by using MakeSanExt.vbs.

Method 3: Change the text value of the SAN attribute in the RequestAttributes section.

Remove the example SAN information for the two methods you are not using.

Review the rest of the settings in the file. Using the comments for guidance, change the values of other settings to meet the requirements of your organization and CA. The example values are appropriate for a server authentication certificate.

On the File menu, click Save.

Generating a SAN extension by using MakeSanExt.vbs

Complete the following procedure to generate a base64-encoded SAN extension.

To create and run MakeSanExt.vbs

Click Copy Code at the top of the code section.

Start Notepad.

On the Edit menu, click Paste.

On the File menu, click Save.

Type a path for the file, type the file name MakeSanExt.vbs, and click Save.

At a command prompt, type the following command, and press ENTER:

Cscript MakeSanExt.vbs <FQDN> [<FQDN> … ]

Copy the command output, and paste it into the Extensions section of the RequestPolicy.inf file.

To complete certificate enrollment by using Certreq.exe

If a message is displayed indicating that the certificate request is pending, the certificate must be issued by a certificate manager or CA administrator by using the Certification Authority snap-in. After the certificate is issued, it must be retrieved by using the command in step 3. If the certificate is issued immediately by the CA, the file specified by <CertificateResponse.txt> contains the certificate. Use the command in step 4 to install the certificate into the certificate store.

The –config option is followed by a string specifying a host name and CA name in the format HostName\CAName.

ServerName

The name of the server that hosts the CA.

CAName

The CA name.

CertificateRequest.req

The path and name of the file containing the certificate request that was created by using either the Certificate Enrollment wizard or the Certreq.exe -new command.

CertificateResponse.cer

The path and name of the file receiving the issued certificate from the CA. If the certificate request is pending, the file contains a message from the CA indicating the status of the request and the request ID. The request ID is used to retrieve the certificate after it is issued by a certificate manager or CA administrator.

RequestID

Numeric value used to retrieve a certificate from your CA. The RequestID value is included in the response from the CA when the certificate request is held in a pending state.